New MoonPeak RAT Linked to North Korean Threat Group UAT-5394

Security

A newly discovered remote access Trojan (RAT) family, MoonPeak, has been linked to a North Korean-affiliated threat group known as UAT-5394.

This sophisticated malware, based on the open-source XenoRAT, is undergoing active development, showcasing significant enhancements aimed at evading detection and improving functionality, according to recent research from Cisco Talos.

Connection to Kimsuky

UAT-5394, an emerging player in the North Korean cyber threat landscape, shares certain tactics, techniques and procedures (TTPs) with the more established North Korean state-sponsored groupKimsuky

Although there is no conclusive technical evidence to link UAT-5394 directly to Kimsuky, the overlap inoperational patterns raises the possibility that UAT-5394 could either be a subgroup within Kimsuky or another entity borrowing from Kimsuky’s playbook.

Read more on North Korean cyber-threats: North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts

Evolution of MoonPeak Malware

Regardless of the connection, the group was initially observed utilizing cloud storage providers for hosting malicious payloads but has since moved to attacker-controlled servers, likely to mitigate risks associated with the shutdown of cloud locations by service providers.

The MoonPeak malware has also evolved through multiple versions, each iteration introducing new layers of obfuscation and unique communication protocols.

These modifications, which include changes to the malware’s namespace and compression techniques, are designed to avoid analysis and prevent unauthorized access to the malware’s command-and-control (C2) servers.

Complex C2 Infrastructure

The research also revealed that UAT-5394 has established a complex network of C2 servers and testing infrastructure, indicating a high level of organization and planning.

“An analysis of MoonPeak samples reveals an evolution in the malware and its corresponding C2 components that warranted the threat actors deploy their implant variants several times on their test machines. The constant evolution of MoonPeak runs hand-in-hand with new infrastructure set up by the threat actors,” Cisco Talos explained.

The security firm also mentioned that the rapid expansion of infrastructure indicates the group’s intent to scale its operations, posing a growing threat to global cybersecurity. The potential connection to Kimsuky amplifies the concern surrounding this emerging threat.

Products You May Like

Articles You May Like

Google Warns of Rising Cloaking Scams, AI-Driven Fraud, and Crypto Schemes
Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims
Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform
Massive Telecom Hack Exposes US Officials to Chinese Espionage
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released

Leave a Reply

Your email address will not be published. Required fields are marked *